PCI DSS 3.2: New SAQ Changes, Revision 1.1 (January 2017)

In our post PCI DSS 3.2: The Major Changes, we reviewed the changes related to the Version 3.2 release of PCI Data Security Standard (PCI DSS 3.2). In this post, we will discuss recent changes (January 2017) to certain PCI DSS Self Assessment Questionnaires (SAQs) – PCI DSS SAQ Rev. 1.1. For those of you new to the world of PCI DSS, Self Assessment Questionnaires (SAQ) are forms that certain merchants can complete and self-attest to for satisfying their annual PCI DSS compliance requirements. For more information on PCI DSS compliance, review our post What is PCI Compliance?.

Why are the PCI DSS SAQs Being Updated?

With the release of PCI DSS version 3.2 in April of 2016, the SAQs also received some major updates. So, many merchants and service providers are asking why the Security Standards Council (SSC) is already updating the SAQs following a relatively recent major change. According to PCI, the changes are meant only to clarify points of confusion around the SAQs and there are “no major changes,” per the Council. Although the changes are considered minor, the Council notes that “changes do include the addition of guidance and may impact how SAQs are filled out.”

Changed SAQs

The following PCI DSS SAQs have been updated as part of the January 2017 SAQ update:

SAQ A Changes (PCI DSS 3.2, Revision 1.1)

Updated Document Changes to clarify requirements added in the April 2016 update.

Added note to Before You Begin section to clarify intent of inclusion of PCI DSS Requirements 2 and 8.

SAQ B-IP Changes (PCI DSS 3.2, Revision 1.1)

Updated Document Changes to clarify requirements added in the April 2016 update.

Updated Before You Begin section to clarify term “SCR” and intent of permitted systems.

Added Requirement 8.3.1 to align with intent of Requirement 2.3.

Requirement 8.3.1: Use multi-factor authentication for all non-console administrative access into the cardholder data environment

Explanation: Merchants that perform administrative access via non-console connections are already required to secure these connections with strong cryptography (Requirement 2.3), and the addition of Requirement 8.3.1 provides consistency for how these connections are secured.

Requirement 11.3.4 Verify segmentation controls (assuming segmentation is used). SAQs B-IP requires that specific device types be used, and that the defined devices are not connected to other systems. The addition of Requirement 8.3.1 in SAQs B-IP is consistent with requirements in other SAQs for merchants using segmentation.

SAQ C Changes (PCI DSS 3.2, Revision 1.1)

Updated Document Changes to clarify requirements added in the April 2016 update.

Added footnote to Before You Begin section to clarify intent of permitted systems.

Checkboxes fixed in Requirements 8.1.6 and 11.3.4.

SAQ C VT Changes (PCI DSS 3.2, Revision 1.1)

Updated Document Changes to clarify requirements added in the April 2016 update.

Added footnote to Before You Begin section to clarify intent of permitted systems.

Added Requirement 8.3.1 to align with intent of Requirement 2.3.

Requirement 8.3.1: Use multi-factor authentication for all non-console administrative access into the cardholder data environment

Explanation: Merchants that perform administrative access via non-console connections are already required to secure these connections with strong cryptography (Requirement 2.3), and the addition of Requirement 8.3.1 provides consistency for how these connections are secured.

Requirement 11.3.4 Verify segmentation controls (assuming segmentation is used). SAQs C-VT requires that specific device types be used, and that the defined devices are not connected to other systems. The addition of Requirement 8.3.1 in SAQs C-VT is consistent with requirements in other SAQs for merchants using segmentation.

Related

PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.